Network Access: Tailscale & Alternatives

For RemoteConsoleSSH to connect to your computer, your phone and your computer need to be able to reach each other over the network. If both devices are on the same Wi-Fi, this works out of the box. But if you want to connect from anywhere -- a coffee shop, a cellular network, a different city -- you need a way to bridge the gap.

This is where Tailscale comes in. We recommend it for most users because it is the simplest and most secure way to connect your devices. This guide covers Tailscale in detail, then walks through the alternatives.

What Is Tailscale?

Tailscale is a mesh VPN built on top of WireGuard. It creates a private, encrypted network (called a tailnet) between your devices. Once installed, your devices can talk to each other as if they were on the same local network -- no matter where they actually are.

Here is what makes Tailscale a great fit for SSH:

Zero configuration -- No port forwarding, no dynamic DNS, no firewall rules. Install it, sign in, and your devices can see each other.
Stable IP addresses -- Every device on your tailnet gets a fixed 100.x.x.x IP address that never changes, even if your real IP changes.
End-to-end encryption -- All traffic between your devices is encrypted with WireGuard. Tailscale's servers coordinate connections but never see your data.
Tailscale SSH -- Optionally, you can authenticate SSH sessions with your Tailscale identity instead of passwords or SSH keys. This means you do not need to manage SSH credentials at all.
Free tier -- Up to 100 devices and 3 users at no cost.

How It Works

The concept is straightforward:

Install Tailscale on your computer (the SSH server).
Install Tailscale on your phone.
Sign in with the same account on both devices.
Your phone can now reach your computer using its Tailscale hostname or IP address.

There is no server in the middle relaying your traffic. Tailscale uses NAT traversal to establish direct peer-to-peer connections between your devices whenever possible. When a direct connection is not possible (rare), it falls back to encrypted relay servers (called DERP).

💡

Tip

If you are new to VPNs or networking, Tailscale is by far the easiest path. You can be up and running in under five minutes with no networking knowledge required.

Set Up Tailscale on Your Computer

Install Tailscale on the machine you want to SSH into (your Mac, Linux server, or Windows PC).

Install Tailscale

Using Homebrew:

brew install --cask tailscale

Or download the app directly from tailscale.com/download/mac.

Sign In

Open the Tailscale app from your Applications folder or menu bar. Click Sign in and authenticate with your Google, Microsoft, GitHub, or other identity provider account.

Enable Tailscale SSH

Tailscale SSH lets you authenticate SSH connections using your Tailscale identity, so you do not need passwords or SSH keys. To enable it:

sudo tailscale up --ssh

This tells Tailscale to accept SSH connections authenticated by your tailnet identity. You can still use traditional SSH authentication alongside it.

Verify

Check that your machine is connected to your tailnet:

tailscale status

You will see output like:

100.64.0.1    my-macbook        username@   macOS   -
100.64.0.2    my-phone          username@   iOS     -

Note the 100.x.x.x IP and the hostname. You will use one of these to connect from RemoteConsoleSSH.

Set Up Tailscale on Your Phone

Install Tailscale

Download Tailscale from the App Store (iOS) or Google Play (Android).

Sign in with the same account

Open the Tailscale app and sign in with the exact same identity provider account you used on your computer. Both devices must be on the same tailnet.

Enable the VPN

When prompted, allow Tailscale to create a VPN configuration. On iOS, you will see a VPN icon in the status bar when Tailscale is active. On Android, you will see a key icon in the notification area.

Verify the connection

Open the Tailscale app on your phone. You should see your computer listed with its hostname and 100.x.x.x IP address. If it shows as "Connected," your phone can now reach your computer.

Connect in RemoteConsoleSSH

With Tailscale running on both devices, open RemoteConsoleSSH and add a new connection:

Host: Enter your computer's Tailscale hostname (e.g., my-macbook) or its Tailscale IP address (e.g., 100.64.0.1). The hostname is usually easier to remember.
Port: 22 (the default).
Username: Your user account on the remote machine.

For authentication, you have two options depending on your Tailscale setup:

Tailscale SSH enabled (tailscale up --ssh): You do not need a password or SSH key. Tailscale authenticates you based on your tailnet identity. Just leave the authentication fields empty or select "None" if available.
Regular SSH over Tailscale: Use your normal SSH credentials (password or SSH key). The connection still goes through Tailscale's encrypted tunnel, but SSH handles the authentication itself.

💡

Tip

Using Tailscale hostnames instead of IP addresses is recommended. If you ever need to re-provision your tailnet, hostnames stay the same while IPs might change.

Alternatives to Tailscale

Tailscale is our recommendation for most users, but it is not the only option. Here is a comparison of the most common ways to access your SSH server remotely.

Method	Pros	Cons	Best for
Tailscale	Zero config, encrypted, free tier, Tailscale SSH	Requires install on both devices	Most users (recommended)
Local Wi-Fi	No extra software needed	Same network only, no remote access	Home or office use
Port forwarding	Works from anywhere, no extra software	Security risk, complex router config, dynamic IP	Advanced users with static IPs
Cloudflare Tunnel	Free, no open ports, DDoS protection	Complex setup, requires a domain name	Web developers, self-hosters
ZeroTier	Similar to Tailscale, self-hostable	Smaller community, less polish	Tailscale alternative
ngrok	Quick to set up, no install on server	Paid for SSH tunnels, added latency	Temporary or demo access
WireGuard (manual)	Maximum control, no third-party dependency	Complex key management, manual config	Self-hosters who want full control

Local Wi-Fi

If your phone and your computer are on the same Wi-Fi network, you can connect directly using your computer's local IP address (e.g., 192.168.1.42) or hostname (e.g., My-MacBook.local on macOS).

This is the simplest setup -- no extra software needed at all. The limitation is that it only works when both devices are on the same network. Once you leave your home or office Wi-Fi, the connection is no longer possible.

To find your computer's local IP address, see the instructions in the Enable Remote Login guide.

Port Forwarding

Port forwarding configures your home router to route incoming traffic on a specific port (usually 22) to your computer's local IP address. This lets you connect from anywhere on the internet.

To set it up, log into your router's admin interface (usually at 192.168.1.1) and find the port forwarding section. Create a rule that forwards external port 22 to your computer's internal IP address on port 22.

The downsides are significant. Your SSH server is now exposed to the entire internet, which means anyone can attempt to connect. You should use SSH key authentication and disable password login if you go this route. Additionally, most home internet connections have dynamic IP addresses that change periodically, so you may need a dynamic DNS service (like DuckDNS or No-IP) to maintain a stable hostname.

⚠️

Warning

Exposing SSH to the public internet is a security risk. If you choose port forwarding, use SSH key authentication exclusively, disable password login, and consider running SSH on a non-standard port. Better yet, use Tailscale instead.

Cloudflare Tunnel

Cloudflare Tunnel (formerly Argo Tunnel) creates an outbound-only connection from your machine to Cloudflare's network. You do not need to open any ports on your router.

To set it up, you need a Cloudflare account and a domain name managed by Cloudflare. Install cloudflared on your server, authenticate it with your Cloudflare account, and create a tunnel that maps a hostname (e.g., ssh.yourdomain.com) to localhost:22.

# Install cloudflared
brew install cloudflare/cloudflare/cloudflared  # macOS
# Or: sudo apt install cloudflared               # Debian/Ubuntu
 
# Authenticate
cloudflared tunnel login
 
# Create a tunnel
cloudflared tunnel create my-ssh-tunnel
 
# Configure and run
cloudflared tunnel route dns my-ssh-tunnel ssh.yourdomain.com
cloudflared tunnel run my-ssh-tunnel

This is a solid option for users who already have a domain on Cloudflare. For most people, Tailscale is simpler because it does not require a domain name or Cloudflare account.

ZeroTier

ZeroTier is a peer-to-peer VPN similar to Tailscale. It creates a virtual network that your devices join, and each device gets a stable IP address.

# Install
curl -s https://install.zerotier.com | sudo bash
 
# Join a network (create one at my.zerotier.com first)
sudo zerotier-cli join <network-id>

Install ZeroTier on both your computer and phone, join the same network, and connect using the ZeroTier IP address. It works well, but has a smaller community and less polished documentation compared to Tailscale.

ngrok

ngrok creates temporary tunnels to expose local services to the internet. It is primarily designed for HTTP, but it supports TCP tunnels for SSH on paid plans.

# Install
brew install ngrok  # macOS
 
# Authenticate
ngrok config add-authtoken <your-token>
 
# Create a TCP tunnel to your SSH server
ngrok tcp 22

ngrok gives you a temporary hostname and port (e.g., 0.tcp.ngrok.io:12345) that you can use to connect. This is useful for quick, temporary access, but the hostname and port change every time you restart the tunnel unless you pay for a reserved address. The added latency from routing through ngrok's servers can also be noticeable.

WireGuard (Manual Setup)

WireGuard is the underlying protocol that Tailscale uses. You can set it up manually for maximum control and zero dependency on third-party services.

# Install WireGuard
sudo apt install wireguard  # Debian/Ubuntu
brew install wireguard-tools # macOS
 
# Generate key pair
wg genkey | tee privatekey | wg pubkey > publickey

Manual WireGuard setup involves generating key pairs on each device, configuring IP addresses, and exchanging public keys. You also need to configure your router to forward the WireGuard port (default: 51820/UDP). The WireGuard app is available on iOS and Android for the phone side.

This gives you complete control over your VPN, but the key management and configuration overhead is significant. Tailscale is essentially WireGuard with automatic key management and NAT traversal, which is why we recommend it for most users.

Next Steps

Enable Remote Login (SSH) if you have not already enabled the SSH server on your computer.
Configure SSH key authentication for secure, password-free login.
Install tmux for persistent terminal sessions.